Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF2C1A000B for ; Sat, 12 Apr 2014 20:33:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvMEvtd3Exr2 for ; Sat, 12 Apr 2014 20:33:25 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id B54791A000F for ; Sat, 12 Apr 2014 20:33:24 -0700 (PDT) Received: from BL2PR03CA018.namprd03.prod.outlook.com (10.141.66.26) by BLUPR03MB017.namprd03.prod.outlook.com (10.255.208.39) with Microsoft SMTP Server (TLS) id 15.0.921.12; Sun, 13 Apr 2014 03:33:16 +0000 Received: from BL2FFO11FD010.protection.gbl (2a01:111:f400:7c09::125) by BL2PR03CA018.outlook.office365.com (2a01:111:e400:c1b::26) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Sun, 13 Apr 2014 03:33:16 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD010.mail.protection.outlook.com (10.173.161.16) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 13 Apr 2014 03:33:15 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Sun, 13 Apr 2014 03:32:53 +0000 From: Mike Jones To: Chuck Mortimore Thread-Topic: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Thread-Index: Ac9OJMm2QQWqL+riTTewCyU8ts655AIkJjcAAATakwA= Date: Sun, 13 Apr 2014 03:32:52 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(189002)(199002)(24454002)(77982001)(71186001)(81342001)(15975445006)(2009001)(86612001)(80976001)(19300405004)(4396001)(54356999)(92566001)(76176999)(76482001)(81542001)(16236675002)(83072002)(6806004)(19580395003)(86362001)(46102001)(15202345003)(66066001)(83322001)(19580405001)(44976005)(2656002)(80022001)(84676001)(74502001)(87936001)(55846006)(79102001)(92726001)(20776003)(97736001)(33656001)(512954002)(85852003)(84326002)(85806002)(74662001)(50986999)(31966008)(99396002)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB017; H:mail.microsoft.com; FPR:CC40D19E.9E3A46D9.B3D3BD49.4CF0F471.20311; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 018093A9B5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Vrkcm_qCbc2uj1ncTzsfie0E9UM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 03:33:27 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Is having multiple confirmation keys a common case? I'd rather we "make si= mple things simple" than build the most general solution possible. If an a= pplication really needs multiple confirmation keys, it can always defined a= "jwks" element and the handling rules for it, and go for it... -- Mike From: Chuck Mortimore [mailto:cmortimore@salesforce.com] Sent: Saturday, April 12, 2014 6:12 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (= JWTs) Good start here Mike! One quick question - I see the "cnf" member is defined as a JWK. Why not a= JWK Set? I could see use-cases for binding in multiple keys. -cmort On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones > wrote: I've written a concise Internet-Draft on proof-of-possession for JWTs with = John Bradley and Hannes Tschofenig. Quoting from the abstract: This specification defines how to express a declaration in a JSON Web Token= (JWT) that the presenter of the JWT possesses a particular key and that th= e recipient can cryptographically confirm proof-of-possession of the key by= the presenter. This property is also sometimes described as the presenter = being a holder-of-key. This specification intentionally does not specify the means of communicatin= g the proof-of-possession JWT, nor the messages used to exercise the proof = key, as these are necessarily application-specific. Rather, this specifica= tion defines a proof-of-possession JWT data structure to be used by other s= pecifications that do define those things. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-0= 0 An HTML formatted version is available at: * http://self-issued.info/docs/draft-jones-oauth-proof-of-possession= -00.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1210 and as= @selfissued. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Is having multiple confir= mation keys a common case?  I’d rather we “make simple thi= ngs simple” than build the most general solution possible.  If a= n application really needs multiple confirmation keys, it can always defined a “jw= ks” element and the handling rules for it, and go for it…<= /o:p>

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: Chuck Mo= rtimore [mailto:cmortimore@salesforce.com]
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web T= okens (JWTs)

 

Good start here Mike!

 

One quick question - I see the "cnf" membe= r is defined as a JWK.  Why not a JWK Set?    I could see us= e-cases for binding in multiple keys.

 

-cmort

 

 

 

On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@m= icrosoft.com> wrote:

I’ve written a concise Internet-Draft on proof-of-possession= for JWTs with John Bradley and Hannes Tschofenig.  Quoting from the a= bstract:

 

This specification defines how to express a declaration in a JSON Web To= ken (JWT) that the presenter of the JWT possesses a particular key and that= the recipient can cryptographically confirm proof-of-possession of the key= by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

 

This specification intentionally does not specify the means of com= municating the proof-of-possession JWT, nor the messages used to exercise t= he proof key, as these are necessarily application-specific.  Rather, this specification defines a proof-of-= possession JWT data structure to be used by other specifications that do de= fine those things.

 

The specification is available at:

·        http://tools.ietf.org/html/draft-jones-oauth-= proof-of-possession-00

 

An HTML formatted version is available at:

·        http://self-issued.info/docs/draft-jon= es-oauth-proof-of-possession-00.html

 

      =             &nb= sp;            =             &nb= sp;            =     -- Mike

 

P.S.  This note was also posted at http://self= -issued.info/?p=3D1210 and as @selfissued.

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_--